33 lines
1.3 KiB
Bash
33 lines
1.3 KiB
Bash
#!/bin/bash
|
|
|
|
if [ $# -lt 2 ]; then
|
|
echo "This tool requires openssl, awscli, jq and base64."
|
|
echo "Usage: key-import.sh key-file key-alias"
|
|
exit 0
|
|
fi
|
|
|
|
keyAlias=$2
|
|
|
|
aws kms create-key --origin EXTERNAL --description "Customer managed key" | jq -cr .KeyMetadata.KeyId > keyid.txt
|
|
|
|
aws kms get-parameters-for-import --key-id $(cat keyid.txt) \
|
|
--wrapping-algorithm RSAES_OAEP_SHA_256 \
|
|
--wrapping-key-spec RSA_2048 > import.json
|
|
|
|
cat import.json | jq -cr .PublicKey | base64 -d > PublicKey.bin
|
|
cat import.json | jq -cr .ImportToken | base64 -d > ImportToken.bin
|
|
|
|
openssl pkeyutl -encrypt -in $1 -inkey PublicKey.bin -keyform DER \
|
|
-pubin -out EncryptedKeyMaterial.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
|
|
|
|
aws kms import-key-material --key-id $(cat keyid.txt) \
|
|
--encrypted-key-material fileb://EncryptedKeyMaterial.bin \
|
|
--import-token fileb://ImportToken.bin \
|
|
--expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
|
|
|
|
aws kms create-alias --alias-name "alias/$keyAlias" --target-key-id $(cat keyid.txt)
|
|
aws kms describe-key --key-id $(cat keyid.txt)
|
|
|
|
rm -f EncryptedKeyMaterial.bin ImportToken.bin PublicKey.bin import.json keyid.txt
|
|
|